Is Fraud Risk Assessment Any More Accurate Than Fortune Telling?
/When you think of a fortune teller, you may picture an older woman with a scarf on her head hunched over a crystal ball or a man sporting impressive facial hair and lots of rings shuffling a deck of tarot cards. Regardless of how you picture this hypothetical fortune teller, you likely are already judging them through a skeptical lens. Fraud examiners tend to be skeptical by nature, and people who read palms, purport to talk to dead family members or promise any sort of glimpse into the future seem to promise the impossible. However, the way that fortune tellers use cold readings in their practices can have many similarities to how anti-fraud professionals approach fraud risk assessments.
In his session, “Fraud Precognition: Crystal Balls, Tarot Cards and Other Risk Management Tools,” at the 32nd Annual ACFE Global Fraud Conference, Jack Healey, CFE, CPA/CFF, compared some fortune-telling techniques to common pitfalls in fraud risk assessment. Healey, the CEO of Bear Hill Advisory Group, told attendees that when approaching fraud risks, they need to ask themselves, “Am I any better than a fortune teller?”
“No matter what that course of your vocation is, you’re always going to deal with risk,” said Healey. The key to performing a successful risk assessment is to approach it in a structured manner and to look at the risks on a granular level. Cold readings performed by fortune tellers work because they are general in nature. You may try to approach risk assessments generally as well — since you may think you’ll cover all bases that way — but you need to look deeper and get specific if you want your plan to work.
The first step of a successful fraud risk assessment is to make sure that everyone involved on the same page when it comes to risk. When looking at different widely used frameworks like COSO, ISO 31000 and NIST, they each have different definitions of risk. “We don’t even agree on the definition of risk management,” said Healey. He said you need to sit down and figure out what the definition of risk means specifically for your organization. “When I go in the room, I make sure I’m speaking the same language as the other people.”
After figuring out how you define risk, you have to determine your fraud risk appetite. “It’s important to note risk is a positive as well as a negative,” Healey reminded attendees. Risk can mean growth or being first to market, so some departments might have a higher risk appetite. He warned that boards can be more vague in their direction about risk, saying something like, “We don’t want to hurt our brand or reputation … it’s basically ‘don’t surprise us.’” It’s important to take everyone’s viewpoints into consideration and find a risk appetite that is comfortable for all involved.
Those differing opinions about risk appetite can also be thought of as themes. “Everybody, as they talk about brainstorming, will stick to their themes,” said Healey. “When we talk about our themes, we need to make sure we’re listening to everybody.” Those themes may be fraud-related, but it’s similar to how fortune tellers use themes in their readings too. The difference is that fortune tellers tend to use themes like career, romance and travel, while anti-fraud professionals think in terms of strategy, innovation and cost.
Another important part of both cold reading and risk assessment is timing. Cold readings look to either the past or future. Risk assessments also need to look at the future, but the best way to determine future risks is by looking at what has already occurred. “We should worry about the risk we already incurred once,” said Healey. “Odds are if it’s happened to us before, it’s going to happen to us again … you have to take what is possible in the world and relate it back to probable,” Healey explained.
Another important factor of timing in fraud risk assessments is the concept of “Velocity of Risk” (VoR). Some risks may occur quickly and cause a lot of damage, while others can happen slower, but still cause a drawn-out, costly problem. Frauds like ransomware attacks have a fast velocity, while a bookkeeper writing themselves an extra paycheck each month has a slower velocity. “Things may come on fast and have a big impact and be short of duration,” he said. “If you look at fraud, fraud risk is historically a very low velocity risk.” Healey said that understanding the VoR of potential risks is important because that determines the response you should prepare to take. “If it’s a high-velocity risk, it better be a high-velocity response.”
One more pivotal aspect Healey stressed to attendees was differentiating between primary and secondary risks. “Every primary risk has a secondary risk,” he said. For example, if your organization is a victim of a data breach, the odds that customer, vendor and employee information will be exposed and sold on the dark web is high. That secondary risk of stolen PII means that your organization will likely need to hire credit monitoring services, security experts and possibly employ other mitigation tactics. While it may be difficult to accurately predict primary risks, secondary risks are easier to figure out and should be included in fraud risk assessments. “The probability of a secondary loss is usually 100%.”
Healey ended his session with a short tarot reading for the attendees using his cat-themed tarot deck. While he was having fun with it, he summed up his session by drawing it back to risk assessments. He said the point of the reading was to show that “as long as you’re general, and as long as you hold the audience’s attention … I can then tell a story that is believable.” That’s how cold readers operate. But he urged anti-fraud professionals to make sure that their risk assessments aren’t just telling a story that’s believable. He told them to make sure it’s probable, get granular with details and response steps and to think about fraud velocity.
By following his advice on fraud risk assessments, you won’t need a crystal ball to stay two steps ahead of fraud.